I received an email today that claimed to come from eBay Germany and at the first glance looked like yet another phishing scam, complete with link to a website for me to click on to “protect my account”. Even more suspiciously, the greeting at the top did not address me by my first name or full name.
Only when I looked at the message headers did I realize that the mail actually came from eBay’s mail servers. It was real. Still, as a simple precaution I typed eBay’s website address into a browser window to log in from scratch, ignoring the link in the email, just in case…
Later, when I had another look I noticed the small print at the bottom did actually mention my full name, again supporting that the mail was legitimate.
I found the whole experience pretty disappointing for a company of this size that has been in the business for so long and during that time has always been a prime target for phishing scams:
1. Please address the customer by their full name, otherwise you undermine years of education efforts. PayPal addresses all their customer mails to the full name of the recipient, why not eBay? Sceptical people may have ignored that email while for naive people it has made it harder to distinguish phishing mails from real mails.
2. Please do not ask people to click a link in an email claiming to be from you to go to a website that asks for their user name and password. Simply ask them to go to the eBay website in a browser and log in there. That removes any question whether any link is genuine or not or whether it’s safe to click on.
Don’t train customers to do things in your real business emails that phishing scammers would also like them to do, especially when there are alternatives.